Steve Gibson’s “password haystack”

Security guru Steve Gibson offers a clever passphrase evaluator page, including some general guidance on practical ways to create “real world useable” passwords.

Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.

This is quite different from typical “password strength” evaluators, which examine entropy (how random are the characters in your proposed string).

We will be changing some passphrases based on Steve’s insights.

BTW, don’t forget that password crackers know how to build test phrases by combining dictionary words with white space. So a string of lower case words separated by spaces is secure if it is a really long phrase (easy to do with Steve’s methodology). A good idea to vary the whitespace too.

The relevant podcast is Security Now #303, which includes some useful commentary on Mac OS X security issues.

4 thoughts on “Steve Gibson’s “password haystack”

  1. Duncan – I agree, I had the same thought when I first opened Steve’s page. That said, Gibson is one of the most trustworthy guys I can think of.

    Anyhow, no need to test exactly the trial passphrase you are considering.

  2. Can you tell me if I understand what the concept? Here is my understanding:
    For example. I want my password to be something easy to remember so I choose “password” for this site. Now I make up some padding… I choose an easy phrase to remember “easy to crack” as my pad. I convert that to all 4 elements and get something like this: E@sy*2*Cr@ck. Now I put that padding before, in the middle, and after my password. I get this: E@sy*2*Cr@ckpassE@sy*2*Cr@ckwordE@sy*2*Cr@ck. Now I can have a different password for every site I go to that would seem to be pretty secure. I make my password “i am broke” for a banking site. It turns out like this: iE@sy*2*Cr@ckamE@sy*2*Cr@ckbroke. Did I get it right?

  3. Hi Seth – indeed you got it right. If my take is correct, then you could make your scheme simpler as follows – for two site examples (put the URL in there for easy remembrance):


    ,,,,,,,,,, 2Pass,,,,,,,,,,

    Once the dictionary type cracks have failed, the cracker is exhaustively trying increasing length strings – there is no pattern recognizer working on your passphrase, so there is no benefit to the “obfuscation”. The only signal the cracker gets on each trial is pass/fail.

    Personally I like ‘wallets’ such as 1Password for convenience, as minimum keystrokes connect to the target site and automagically login. Convenience aside, we have to deal with sites that limit length (too short) and character set. Often these are financial sites (!) so for those I prefer to use a classical random, high-entropy password.

Comments are closed.